Exploit kits: spring 2019 review

Exploit kit activity remains fairly unchanged since our last winter review in terms of active distribution campaigns. But this spring edition will feature a new exploit kit and another atypical EK, in that it specifically goes after routers.

The main driver behind these drive-by download attacks are various malvertising chains with strong geolocation filtering. This explains why some exploit kits will be less visible than others.

According to our telemetry, the US is by far the country most affected by exploit kits, while Spain and South Korea are leading in Europe and Asia, respectively.

Spring 2019 overview

Spelevo EK

Fallout EK

Magnitude EK

RIG EK

Underminer EK

Router EK

Vulnerabilties

Spelevo EK

Spelevo EK is a new exploit kit that was identified in March 2019 and features the most recent Flash exploit (CVE-2018-15982). Based on our internal tests, Spelevo’s Flash exploit will check for and avoid virtual machines before delivering its payload.

Payloads seen: PsiX Bot, IcedID

Fallout EK

Fallout EK is one of the more active exploit kits with some of the more intricate URI patterns. For a while, Fallout was loading its IE exploit via a GitHub PoC, but it eventually switched back to self-hosting.

Router EK

Router exploit kits are not new (see DNSChanger EK), but they are quite dangerous, as they are part of drive-by attacks that alter your router’s DNS settings via cross-site request forgery (CSRF). The particular one we show here (Novidade) targets Brazilian users. The end goal is typically to redirect users to phishing websites with victims being none the wiser.

Payload seen: DNS changer

Mitigation

Malwarebytes users are protected against these exploits kits, thanks to our anti-exploit and web protection technologies. The animation below features Malwarebytes Endpoint Protection and Response, one of our business products, and shows how it blocks each of these attacks.